If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Well ... dumpsec ...can't say that I've got much experience with it..I've seen it used once in a presentation on security but not in depth ... as far as corruption ..never heard any reports about it corrupting the AD. But maybe someone on this forum has.

Anyway ..Google turned up quite some sites about dumpsec ... I know it's always nice to hear from someone first hand but here is a link to some kind of review about dumpsec : LINK .

Offcourse there are many more links ... I would advise to read some of them ... but perhaps you allready done that and are looking for some hand on experience from someone?

After checking out microsofts technet site I found this article. link
Apparently Microsoft see's no problem with using dumpsec and I never had a problem with the tools from systemtools so i reckon you should be ok.

What's the best tool to dump ACLs?
Q: I was wondering if there were any tools or techniques to list existing permissions for a given group name across a Windows NT domain. Ours is a particularly large domain and we regularly review permissions using DumpACL, but I was looking for something a little more convenient than manually searching ACLs for an instance of a particular group name. A command line utility that could pipe the result to a text file would be nice.

A: There is a tool that will do exactly what you need, and it's surprisingly close at hand. By the wording of your question, I have to assume that you are using the graphical interface for DumpACL (now called DumpSec to manually search through file access control lists (ACLs) to identify the group in question. Many are not aware that DumpSec also operates in command-line mode and can generate reports in a number of text file formats. Using DumpSec in command-line mode is as simple as calling it from a command line rather than launching it from Windows Explorer. The following example will run DumpSec in batch mode (the command shown here is line-wrapped for legibility):

C:\dumpsec&gt; dumpsec.exe /computer=\\server1 /rpt=allsharedirs

/outfile=c:\reports\output.txt /saveas= tsv

This report will dump the permissions for all non-administrative shares on \\server1, and it assumes you already have an existing network connection to \\server1 with appropriate privileges (for example, connect to \\server1\IPC$ as Administrator). The report will show owner and permissions but not audit settings, and it is saved as the tab separated value ("tsv") file c:\reports\output.txt. This command could easily be scripted to check a list of servers on a regular basis. Now all you have to do is findstr this output file for the group name that you are interested in, and all relevant references should pop up. For example, to find all occurrences of the "Power Users" group, you could use:

C:\ dumpsec&gt;findstr /C:"Power Users" c:\reports\output.txt

\\server1\share1\ server1\Power Users RWXD RWXD

\\server1\docs\ server1\Power Users o all all

This pulls each line of the DumpSec output that contains "Power Users," as shown. I have not added the column headers from the original DumpSec report here, but from right to left they are: shared directory/file, Account, Owner, Directory Permissions, and File Permissions. So from the findstr output, we see that for the \\server1\docs share, Power Users are the owner, and they have all permissions for the directory and files therein.

I hope this gets you started on automating the process of reviewing permissions. Don't forget that DumpSec can also probe many other aspects of Windows NT/Windows 2000 security in the same way, including users, groups, the Registry, printers, policies, rights, and services.

?

\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
Oscar Wilde(1854-1900)